Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jul 2015 13:55:51 +0000
From: Ankeet Presswala <mythic.boost@...il.com>
To: oss-security@...ts.openwall.com
Cc: bperry.volatile@...il.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245
 userhelper - CVE-2015-3246 libuser

Whatever happened to the half-life of vulnerabilities?

From
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
:

"Where can I download the exploit?

We want to give everyone enough time to patch. According to our data once
the vulnerability has reached its half-life we will release the exploit.
Half-life is the time interval measuring a reduction of a vulnerability’s
occurrence by half. Over time, this metric shows how successful efforts
have been to eradicate vulnerability. A shorter half-life indicates faster
remediation. Half-life was originally coined by Qualys in the Laws of
Vulnerability."

On Mon, Jul 27, 2015 at 7:53 AM mancha <mancha1@...o.com> wrote:

> On Fri, Jul 24, 2015 at 12:37:29PM -0500, Brandon Perry wrote:
> > Prefer the term coordinated disclosure.
> >
> > Sent from a phone
> >
> > > On Jul 24, 2015, at 10:56 AM, mancha <mancha1@...o.com> wrote:
> > >
> > >> On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: Qualys
> > >> Security Advisory <qsa@...lys.com> writes:
> > >>
> > >>> Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release
> > >>> Date for CVE-2015-3245 and CVE-2015-3246.  Please find our
> > >>> advisory below, and our exploit attached.
> > >>
> > >> *Why* are you releasing a full exploit just minutes after the patch
> > >> is released?
> > >>
> > >> (Disclosure: I am employed by Red Hat, but this is my purely
> > >> personal question.)
> > >>
> > >> -- Leif Nixon
> > >
> > > There was absolutely nothing wrong with Qualys' timing. When the
> > > embargo ends, it ends.
> > >
> > > The real problem is the underlying model: "responsible disclosure".
> > > It's nothing more than a CYA strategy that doesn't maximize the
> > > ecosystem's welfare. The positive-sounding name fools some into
> > > thinking it a good thing.
> > >
> > > --mancha
>
> Agreed. Coordinated disclosure is much more precise.
>
> Also, it's judgment-free unlike the loaded term "responsible disclosure"
> that implies alternative disclosure models like full disclosure are
> irresponsible.
>
> --mancha
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ